The so-called COATHANGER malware appears to have been used for a much larger espionage campaign than previously thought. In 2022 and 2023, the state actor gained access to at least 20,000 FortiGate systems.
Earlier this year, two Dutch state intelligence services revealed details about the COATHANGER malware, which penetrated a network intended for R&D projects in cooperation with the nation’s Ministry of Defense in 2023. In the process, Chinese attackers exploited vulnerability CVE-2022-42475 in FortiOS, the operating system of FortiGate firewalls. Outgoing Defense Minister Ollongren said she shared the information to alert others.
Tip: MITRE hack went unnoticed through the use of rogue virtual machines
Major campaign
CVE-2022-42475 was abused for more than two months before Fortinet publicly disclosed it. About 14,000 devices were exploited during this period, after which the total rose to more than 20,000 FortiGate systems worldwide. “Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry,” the NCSC’s June 10 release (Dutch) notes.
After the compromises, the state actor installed malware at “relevant targets” for permanent access. It is not known how many targets were involved. The NCSC reiterates that this malicious access remained intact even after installing new Fortinet patches. This was already known, but given the scale of the campaign, its impact is also more significant than previously thought. Even the comprehensive advisory on COATHANGER isn’t enough to get rid of the threat: “The NCSC and the Dutch intelligence agencies therefore state that it is likely that the state actor is still currently accessing systems of a significant number of victims.”
Edge devices advisory
To prevent further problems, the NCSC is releasing the so-called knowledge product “Dealing with edge devices: Five challenges and advice when using edge devices”, which is currently only available in Dutch. The document describes challenges when using firewalls, VPN servers, routers, SMTP servers and more. Also included are five pieces of advice that revolve around visibility into the use of edge devices. While these are frequently rather fundamental IT challenges, the NCSC specifically asks for extra attention so that COATHANGER does not lead to further problems.
Central to this is the assumption that you as an organization are already affected, also known as the “assume breach” principle. Mitigating measures such as segmentation, detection, incident response plans and “forensic readiness” are cited. The latter is explained in detail by NCSC Security Specialist Wim van Ruijven in an expert blog, again only available in Dutch with the option to machine translate through a browser.
Read also: Sensitive metadata Cisco Webex was ‘child’s play’ to find, but how?